In Depth
Penetration Testing: Dead in 2009
Does penetration testing belong in the QA department? Fortify Co-Founder and Chief Scientist Brian Chess says 2009 will mark the end of pen tests as we know them. His theory is being met with resistance
By Bill Brenner, Senior Editor
"I can totally see where his customers are coming from," Caceres said. "All things being equal, preventing holes from even existing is a much more interesting approach than riding the find-report-hope-somebody-fixes-it hamster wheel."
But, he added, Chess' prediction may be more of an imagined utopia than a real alternative.
"We have been findings bugs for a while, the most common problems are well understood and documented, yet we keep deploying vulnerable apps," he said. "If we believe true perfection is unattainable -- and I do, particularly for application development, we have yet to invent the tool that produces bug-free code -- then apps will always have bugs that need fixing, and some of them will be security related."
And that's where penetration testing will remain valuable, he said.
Kevin Riggins, a senior information security analyst for a company in the Des Moines, Iowa, area, said it's hard to argue with Chess' premise that the goal should be fewer failures. But he doesn't believe that sentiment has anything to do with the need for or the use of penetration testing. Furthermore, he said, echoing Jabbusch, production monitoring and measuring and penetration testing do not address the same issue.
"The first measures the availability and effectiveness of your production environment," he said in exchanges via Twitter and e-mail. "The second measures its ability to resist intrusion or attack. They are not the same and you can't get from one to the other by transformation."
A better argument for the death of penetration testing is that there will always be issues found, some of which can not be fixed or effectively mitigated, he added. Therefore, what is the real value to the organization in performing this type of test?
"Don't get me wrong, I don't subscribe to this argument either," Riggins said.
In the final analysis, he said, security pros can't stop performing penetration tests until the current compliance requirements are removed. That's not happening any time soon.
"Penetration tests and vulnerability scans help us find where our processes, procedures, and standards might need work," he said.
Other stories by Bill Brenner
penetration testing
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
